Security: Chrome PDF reader has no restrictions/user confirmation on URI action
Reported by
shenegam...@gmail.com,
Jun 12 2018
|
|||||||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS It's possible for PDF files to contain actions that can be triggered by different events and user interactions, one of the actions that work on Google chrome is the "URI action", The URI action allows you to create a hyperlink that can open web page in a web browser, this action makes web applications that provide the ability to users to upload PDF files such as Dropbox and Facebook vulnerable to Open Redirects ["https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet"]. Other browsers FireFox and Edge does not trigger the URI action when viewing pdf file on them. To clarify the issue, I uploaded a PDF file on dropbox contains an URI action When you click on the following link you will get redirected to evilzone.org "this will only work on Google Chrome" https://www.dropbox.com/s/iqh491g0yqvpxep/sss.pdf?disable_range=1&from_native_print=1&preview=1 What happens is this: - - Dropbox returns PDF file - Google Chrome view the PDF file - Google Chrome excutes the URI action - User get redirected to malicious URL VERSION Google Chrome Version: 67.0.3396.79 (Official Build) (64-bit) Operating System: Windows 10 REPRODUCTION CASE 1- Open not pad 2- Past the following code %PDF-1.7 trailer << /Root 1 0 R >> 1 0 obj << /Type /Catalog /Pages 2 0 R /OpenAction 2 0 R >> endobj 2 0 obj << /Type /Action /S /URI /URI (http://evilzone.org) // URL HERE >> endobj %%EOF 3- Save the file as PDF 4- Upload the file 5- Visit the file using the browser attachments contain a PDF file you can edit it as you like. Fix: - Two solutions can be implemented 1- Preventing URI action like in other browsers 2- Show confirmation popup box to user before gets redirected
,
Jun 12 2018
Hi, I checked the previous report, I actually tested the ability to run JS through PDF file, there is no security risks since PDF file get executed in different origin and Google Chrome blocks any JS function that load content or redirect user to/from URL. As you mentioned this doesn't rely on JS, it's just a redirection action that I believe it needs to be restricted/blocked. It creates an unexpected behavior that most of the developers doesn't aware of which leads to make their applications vulnerable to open redirects.
,
Jun 12 2018
hmm see https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect and https://sites.google.com/site/bughunteruniversity/best-reports/openredirectsthatmatter I'm not sure we care about open redirects, but perhaps tsepez can comment here?
,
Jun 12 2018
Hi, Yes Google security doesn't care about it in their web applications, but other companies do care. notice the above link describes that open redirects aren't acceptable if you found one in web application belongs to google, this report is about Google chrome and how it makes web applications vulnerable to Open Redirects.
,
Jun 13 2018
I suspect that if you allow uploads of active content, then the site has bigger problems, but we may want to close this anyways.
,
Jun 13 2018
I don't think allowing PDF uploads on a web application is a problem or should raise security concerns, web developers shouldn't write their own PDF reader to prevent this behavior
,
Jun 19 2018
,
Jun 30 2018
Hi, any updates about this? :-) Thanks,
,
Jul 27
,
Sep 4
Setting PDF bugs assigned to me back to untriaged so they can get re-assigned as needed.
,
Sep 5
,
Sep 18
Hi shenegamy35, Do we have permission to add the provided file to our test suite?
,
Sep 18
Hi, Yes of course
,
Sep 19
,
Sep 20
,
Sep 21
,
Sep 24
,
Sep 24
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6800720983c8b8a99ed7ee4cc227e6432b33f267 commit 6800720983c8b8a99ed7ee4cc227e6432b33f267 Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com> Date: Mon Sep 24 18:28:17 2018 Roll src/third_party/pdfium e65756725f82..97f4483de007 (14 commits) https://pdfium.googlesource.com/pdfium.git/+log/e65756725f82..97f4483de007 git log e65756725f82..97f4483de007 --date=short --no-merges --format='%ad %ae %s' 2018-09-24 hnakashima@chromium.org Revert "Make potentially dangerous Actions require a user click." 2018-09-22 thestig@chromium.org Remove useless charset data in CFGAS_FontMgr. 2018-09-22 thestig@chromium.org Roll build/ f53effa79..dfca77bb0 (53 commits) 2018-09-22 thestig@chromium.org Move some CFGAS_FontMgr methods into an anonymous namespace. 2018-09-22 thestig@chromium.org Change CBC_QRCoderMatrixUtil::BuildMatrix() to return a bool. 2018-09-22 thestig@chromium.org Encapsulate CBC_QRCoderMatrixUtil code. 2018-09-22 thestig@chromium.org Remove CBC_CommonByteArray and CBC_QRCoderBlockPair. 2018-09-21 npm@chromium.org Cleanup in CCodec_FaxModule 2018-09-21 tsepez@chromium.org Replace CPDF_Color::Copy() with honest-to-goodness operator=(). 2018-09-21 npm@chromium.org Make OutputIndex() a void method 2018-09-21 thestig@chromium.org Fix destruction order with CPDF_StreamAcc. 2018-09-21 thestig@chromium.org Remove unreachable code in CPDF_DIBBase. 2018-09-21 thestig@chromium.org Validate more image values in CPDF_DIBBase. 2018-09-20 hnakashima@chromium.org Make potentially dangerous Actions require a user click. Created with: gclient setdep -r src/third_party/pdfium@97f4483de007 The AutoRoll server is located here: https://autoroll.skia.org/r/pdfium-autoroll Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. BUG= chromium:851821 , chromium:887626 , chromium:851821 TBR=dsinclair@chromium.org Change-Id: I1cfa2cae8e4f0aae0ca74f00ecfc7e8a8060efa9 Reviewed-on: https://chromium-review.googlesource.com/1240534 Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com> Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#593606} [modify] https://crrev.com/6800720983c8b8a99ed7ee4cc227e6432b33f267/DEPS
,
Sep 24
Reverted as it breaks a Chromium test that depended on OpenAction opening a URI. Will try to fix the test and reland.
,
Sep 27
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Sep 27
Thank you for the reward
,
Sep 28
Most welcome! A member of our finance team will be in touch to arrange payment. Also, how would you like to be credited in our release notes?
,
Sep 28
,
Sep 28
Noted, thanks!
,
Sep 28
,
Oct 2
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/33b9b0262029fea75c436229f9bdfe74b1937ad2 commit 33b9b0262029fea75c436229f9bdfe74b1937ad2 Author: Henrique Nakashima <hnakashima@chromium.org> Date: Tue Oct 02 22:29:10 2018 Change TemporaryAddressSpoof test to not depend on PDF OpenActions. OpenActions that navigate to URIs are going to be blocked when https://pdfium-review.googlesource.com/c/pdfium/+/42731 relands. It was reverted because this test was breaking and blocking the pdfium roll into chromium. The test will now click on a link in the PDF that navigates to the URI. Bug: 851821 Change-Id: I49853e99de7b989858b1962ad4a92a4168d4c2db Reviewed-on: https://chromium-review.googlesource.com/c/1244367 Commit-Queue: Henrique Nakashima <hnakashima@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Cr-Commit-Position: refs/heads/master@{#596011} [modify] https://crrev.com/33b9b0262029fea75c436229f9bdfe74b1937ad2/chrome/browser/extensions/api/tabs/tabs_test.cc [modify] https://crrev.com/33b9b0262029fea75c436229f9bdfe74b1937ad2/chrome/test/data/extensions/api_test/tabs/pdf_extension_test.html
,
Oct 3
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/07e0c65c7b6b076fb2c3baefe19ef7451db9071f commit 07e0c65c7b6b076fb2c3baefe19ef7451db9071f Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com> Date: Wed Oct 03 21:31:09 2018 Roll src/third_party/pdfium f9e0498bb1ce..2ff6cd661c02 (5 commits) https://pdfium.googlesource.com/pdfium.git/+log/f9e0498bb1ce..2ff6cd661c02 git log f9e0498bb1ce..2ff6cd661c02 --date=short --no-merges --format='%ad %ae %s' 2018-10-03 tsepez@chromium.org Make CCodec_ProgressiveDecoder::ReadMoreData() slightly saner 2018-10-03 hnakashima@chromium.org Reland "Make potentially dangerous Actions require a user click." 2018-10-03 thestig@chromium.org Fix nits in CFX_FontSourceEnum_File. 2018-10-03 thestig@chromium.org Split CFX_FontSourceEnum_File into its own file. 2018-10-03 thestig@chromium.org Add FxFolderHandleCloser for use with std::unique_ptr. Created with: gclient setdep -r src/third_party/pdfium@2ff6cd661c02 The AutoRoll server is located here: https://autoroll.skia.org/r/pdfium-autoroll Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. BUG= chromium:851821 TBR=dsinclair@chromium.org Change-Id: Id2e46631c3c86f62a70337eaf11dfe7e06ff6a8a Reviewed-on: https://chromium-review.googlesource.com/c/1259491 Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com> Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#596374} [modify] https://crrev.com/07e0c65c7b6b076fb2c3baefe19ef7451db9071f/DEPS
,
Oct 11
Relanded some days ago, marking as fixed again.
,
Oct 12
Glad to know that :-) Thanks,
,
Oct 22
Issue 852716 has been merged into this issue.
,
Oct 22
,
Nov 13
Issue 904643 has been merged into this issue.
,
Nov 16
Issue 905944 has been merged into this issue.
,
Nov 16
Issue 905945 has been merged into this issue.
,
Nov 19
Issue 905550 has been merged into this issue.
,
Dec 3
,
Dec 11
,
Dec 12
is it okay to public disclosure this?
,
Dec 12
Re #39 - would you mind waiting a week? That will allow M71 rollout to hit 100%.
,
Dec 15
Yes sure
,
Jan 4
,
Jan 18
(4 days ago)
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Jun 12 2018Components: Internals>Plugins>PDF